Companies House suspended its online filing service after a glitch allowed people to edit the personal data of other businesses and potentially expose them to fraud.
A vulnerability in the UK’s official corporate register allowed people to access other companies’ details by pressing the back key on their site’s dashboard.
Data that could reportedly be viewed because of the glitch included directors’ home addresses, email addresses, and dates of birth.
Companies House was alerted to the issue on Friday by Dan Neidle, founder of Tax Policy Associates.
Mr Neidle said the glitch could be “very serious” if it was in place for a long time, adding it was an “absolutely insane vulnerability in how easy it is to find”.
He told the Press Association: “People could get enough data about a company and its directors to potentially commit fraud – to pretend to be it.
“Even worse, they could change the address to their address so they could pick up documents and, if you could file accounts, you could do all kinds of damage.”
Discussing the glitch, Mr Neidle added: “If it was only there for 36 hours, then maybe it’s fine.
“But if it was there for a month or more, it’s very serious.
“Security researchers say 15 days is the average time it takes for a vulnerability to be exploited, and this was a particularly easy vulnerability with no hacking required.”
A Companies House spokesperson said on Friday evening: “We are aware of an issue with our WebFiling service and have closed it while we investigate.
“We apologise for any inconvenience to our customers.”
In guidance for affected customers, Companies House stated: “If you miss your filing deadline due to the service being unavailable, there’s no need to call us.
“File as soon as you can once the service is available, and take a screenshot of any error messages and note the time and date. We’ll take this evidence into account if you cannot file.”
Under the Computer Misuse Act 1990, unauthorised access to computer material carries a maximum prison sentence of two years, and the penalty increases to up to five years for accessing data with the intent to commit further offences, such as fraud.
Companies House maintains records of more than five million companies, including large FTSE 100 companies such as AstraZeneca, Shell, and Tesco.
